5 common data protection challenges that businesses face

1. Security threats

The human element remains the No. 1 concern. Almost all the most successful attacks and breaches have been based on a human failing, typically invoked through phishing or spear phishing.

Although the business might push back against onerous, time-consuming anti-phishing training and express concern that people will be too wary of the online world to do their jobs properly, many organizations can move the needle significantly through these measures. Well-articulated programs -- promoted with a human face so they don't seem like the proverbial Big Brother -- can dramatically reduce the success of attacks.

Other types of organizational hardening are also important. For example, a small city in the northeast recently suffered a single spear-phishing incident that netted a half-million dollars for the attackers. Although the vulnerable official got most of the blame, extensive procedures that should be in place for any large dollar fund transfer lapsed or weren't practiced with rigor. A few emails created the setup and one bad decision delivered the payday.

Ransomware, which often begins with phishing, remains a great and growing threat. Air gaps to keep small breaches from becoming large ones, encryption, and more comprehensive backup and archiving are tactics offering some hope that this attack mode can be blunted.

2. Physical security

The coronavirus pandemic has put in focus one of the least glamorous and most neglected aspects of data protection: physical security. Empty or mostly empty offices are a temptation to bad actors. With no one around, anyone with credentials, keys or other means for accessing a business space could access systems with less likelihood of detection than in the past.

The physical perimeter expanded, too. Remote workers -- now the rule, rather than the exception -- risk loss of credentials or data to disgruntled or irresponsible family members, roommates or their own carelessness. And that's not even considering those relying on public spaces to conduct private business. Physical locking mechanisms and gadgets that make it harder for a nearby individual to see or photograph a computer screen will likely get more attention as a result.

Because physical and logical security are often under different management groups -- physical is mostly under control of facilities -- and have different business processes, there is a risk of divided command. Establish good coordination or, if possible, put these responsibilities under one group.

3. Insider threats

A small percentage of people trying to protect systems from hacking, breaches and poor data stewardship practices are either already bad actors or could become bad actors in the right situation.

And with insiders and outsiders mingling as never before, HR and legal must be engaged to better understand the risks from employees and others, such as third-party contractors, with potential access to data. Most companies eliminate access privileges upon termination, but it requires near-real-time coordination to be successful. An angry employee going out the door with access capabilities intact can cause a lot of trouble in a brief period.

Clear rules, roles and responsibilities must be spelled out and enforced. Communicating the notion that mischief will be punished is as important as any other action in ensuring good behavior and discouraging bad behavior.

4. Regulation

Growing regulatory requirements -- especially, in the European Union -- are putting data protection efforts between a rock and a hard place. Although efforts must be unceasing to protect against bad guys, it makes all aspects of handling data more complex.

Over the summer of 2020, the EU Court of Justice in a legal case usually shortened to Schrems invalidated prior regulatory actions that allowed the EU-U.S. Privacy Shield framework to stand in place of the fuller data privacy protections required in the EU. These protections aren't only onerous, but difficult for U.S.-based companies to comply with, given both legally defined and suspected quasi legal access to data by the U.S. government.

The change leaves thousands of U.S. companies scrambling to find a workable alternative, which involves a costly and time-consuming case-by-case examination of the data being handled and adequacy of protections offered on the U.S. side.

There are other challenges posed by the EU's GDPR and California's Consumer Privacy Act (CCPA), which now more closely resembles its European inspiration through the recently passed California Privacy Rights and Enforcement Act (CPRA). The passage of CPRA through a ballot initiative came as CCPA went into effect. However, the new provisions won't become effective until Jan. 1, 2023.

5. Privacy

Although privacy has often been folded into security and regulatory compliance, it's acquiring an existence of its own. In many cases, data breaches have exposed private information, raising concerns among the public. These concerns contributed to the creation of GDPR, CCPA and similar regulations, prompting some to suggest that starting with privacy as a priority might make sense or, at least, put the regulated community in a better position for the future.

One part of this picture is the "privacy by design" movement. The idea seems to have originated with a Canadian official in the 1990s and acquired various supporters and supporting legislation thereafter. Perhaps its most concrete embodiment is in a recently approved ISO standard ISO/PC 317 Consumer protection: Privacy by design for consumer goods and services. The standard, in evolution since 2018, aims to influence the design process to ensure consumers have access to products and services that protect personal privacy.

Data protection principles could evolve even more rapidly in the year ahead, as arguments about privacy, free speech and the power of big tech become more of a focus.